Re: [dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Sara Dickinson <sara@sinodun.com> Thu, 06 May 2021 10:13 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F3E3A1B80; Thu, 6 May 2021 03:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tn6J4xRN-tGz; Thu, 6 May 2021 03:13:18 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCD683A1B7C; Thu, 6 May 2021 03:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=vAm/s/9V757em4ZE2a4KEg4VHvJ4myqx0vLlSqkTMJE=; b=KX4Aud4HCb7oHOmFIDrAXAaFlf ZQvuc21x1hdnaYFHb4olBA/25aq7A2tXXztCBYAFp0ShxRunUh+dq30hb3s0Dpxy2ljl4whjvLiJC oGl11+zMqUDQrXg1yc7xzxdqcdrVXlkUyYLAe+0jSX87GuGbm5nZITHM7Eva+7875MNOEOgaLKI+v CBqvQSyB4viIdGuIaQmQye0G+Rd2e8Ypjvdq9SXlKP5FhIUhtvGQHquylHYiB0CFDu8AUQqLFMJGF 23v+MrO3K9ANHaAmpjGDn4IZEUJwBvuB9t4DMC27JTF9rwJ2IaCMtU/tipmAzIJSfIVC1TjEzDgZN 10aftDDg==;
Received: from [62.232.251.194] (port=23682 helo=[172.27.240.5]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1leb0M-0002ds-NH; Thu, 06 May 2021 11:13:14 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <162016464323.21297.9629553981279271609@ietfa.amsl.com>
Date: Thu, 6 May 2021 11:13:11 +0100
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, tjw.ietf@gmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D6A2244-45F1-4073-90D5-3C0A8F027ECD@sinodun.com>
References: <162016464323.21297.9629553981279271609@ietfa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3445.104.20)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/FFCeA0BR4JQZPkaVwo-6Q-ys4eY>
Subject: Re: [dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 10:13:23 -0000


> On 4 May 2021, at 22:44, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-dprive-xfr-over-tls-11: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ———————————————————————————————————

Hi Roman, 

Many thanks for the review. 

> 
> Section 1.  s/can make reconnaissance trivial/can make reconnaissance and
> attack targeting easier/

Yes. 

> 
> Section 1.  Per “… zone walking is now possible with NSEC3 due to
> crypto-breaking advances”, a reference here would be helpful.

Agreed and requested by another reviewer - let me dig a good one out. 

> 
> Section 1.  As far as I can tell the work on draft-vcelak-nsec5 has not been
> adopted and the draft is expired.  Perhaps this should be signaled via s/This
> has prompted further work on an alternative mechanism/This promoted work on an
> alternative mechanism/

That seems reasonable. 

> 
> Section 1.  Per “It is noted that in all of the common open source
> implementations …”, as this is a point in time assessment, it would be helpful
> to at least mention parenthetically the implementations/version numbers
> assessed informally for this conclusion.

Another review suggested just adding “(at the time of writing)” to qualify that statement. Would that be enough (there are at least 5 implementations we could name)?

> 
> Section 1.  Editorial.  “… must cater for accepting …” doesn’t parse for me.

“must therefore accept”?

> 
> Section 4.
> 
>   The threat model does not, however, consider the existence of a zone,
>   the act of zone transfer between two entities, nor the identities of
>   the nameservers hosting a zone
> 
> To further document the assumptions, consider adding that this threat model
> doesn’t consider/protect the mechanisms to decide on triggering the zone
> transfer (e.g., protecting NOTIFY messages from an active attacker)

Thats a reasonable point - I’ll add it. FYI - some operators do protect the NOTIFY with a TSIG for _some_ added protection. 

> 
> Section 6.2.  Per “However it is noted that most widely used open source
> authoritative nameserver implementations (including both [BIND] and [NSD]) do
> IXFR using TCP by default in their latest releases”, as this document ages,
> “latest release” may not be meaningful.  Consider providing a version number
> for [BIND] and [NSD].

Yes - that makes sense here.

> 
> Section 8.4 and 10.4.  As already mentioned by Martin and John -- It seems like
> a strong statement to say that IP ACLs are in the same class of “channel
> authentication” as mTLS.

Hopefully addressed in the thread with Ben.

> 
> Section 8.8.1.  It’s difficult to assess how effective this notional padding
> approach would be for providing traffic analysis protection.  A few thoughts on
> the existing text realizing the details are out of scope:
> 
> -- Does padding for AXoT need to be coordinated with the padding on IXoT?

I think that any zone that uses IXoT and pads would also always apply AXoT padding (because IXoT can fall back to AXoT). It would expect the draft on the specific padding policy would address that in more detail. 

> 
> -- Is keeping state required to ensure that padding provides the appropriate
> obfuscation over time?

Interesting question. Are you thinking about AXoT where the zone could e.g. grow then shrink? If so, that does seem like a good idea (again - input for the follow up padding policy draft - thanks!). 

Thanks and regards

Sara.